.

Convincing upper management

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Nov 04, 2010 12:42 pm

Convincing upper management

Hi everyone,

We have a problem here at the office. This relatively big organization (around 3000 people) doesn't have even one person dedicated to security! Since they think they haven't got hacked yet, upper management are basicaly saying: "why should we invest in security?".

A recent pentest showed that an attacker could get assess to EVERY SINGLE PC and servers! But that didn't help them change their mind. They change the anti-virus last year and found hundreds of malware, backdoors and viruses, but they don't want a full time person to look after their infrastrusture...

So what you we do?

1) Scared them by doing scary demos?
2) Show them what other similar places are doing?
3) ???

We are running out of ideas...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Nov 04, 2010 12:58 pm

Re: Convincing upper management

Ahhh...the age old question.....

There are no easy answers, but from what I've learned, the best approach is to come at it from a business perspective.

Most managers speak in dollars and cents. If you can show how much an incident costs the company, you might get more traction. Also, remember that although you feel a great sense of responsibility, the ultimate responsibility is the business owner's. If you have presented all the facts and options available, and they still do not take your advice, that is their prerogative.

On a side note, my company is smaller than your, but we had pretty much the same results from our most recent pentest. The pentester actually got shell access on our billing system and had normal user domain credentials. With enough time, he would have had root/Domain Administrator. My direct supervisor was appalled that in basically 8 hours he was able to penetrate as deeply as he had, but that's about as far as it went. Management above him seem to believe that we are not a target and that we'll never be hacked. Maybe we won't. Maybe we are currently being hacked.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Nov 04, 2010 1:02 pm

Re: Convincing upper management

Management above him seem to believe that we are not a target and that we'll never be hacked.


I have heard that so often! Maybe changing this mentality is the key to achieve my goal... Thanks ziggy_567
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Nov 04, 2010 1:34 pm

Re: Convincing upper management

I've had similar issues in the past. And speaking dollar and cents really does get them to stop and pause.

We got hit with a virus outbreak last year. it took 6 of us (all salary) almost 2 weeks to scrub the whole network. Those 2 weeks that is all IT did. Pushed off the move we were working on, we told users if it wasn't virus related we couldn't help them etc.

This year the CFO wanted to allow people to bring their own computers in to work. Mostly marketing people with Macs. I explained the problem. Reminded him that we have less people in IT, and it would cost roughly $XXXX.XX a week for 4 weeks to fix it this time. $XXXX.XX being the combined weekly gross of the IT staff. I also pointed out that if something happens to their personal equipment at work that they'd most likely expect work to pay for it. :)

I've used that trick in some other issues here too. Like the number of hours vs my theoretical hourly pay when a developer decided to make a web server an open proxy.
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Nov 04, 2010 2:23 pm

Re: Convincing upper management

Thanks chrisj, you bring a good point.

Since we haven't had a big problem like this one yet (or at least, that we are aware of!), we could probably organize an exercise and extrapolate on the cost of a business wide outbreak or a major attack. Hummm...

But what about the impact on the reputation (for a government agency)? I guess we can also put a $ to it...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Nov 04, 2010 3:04 pm

Re: Convincing upper management

I agree H1t M0nk3y.  Also, I know information security standards like PCI-DSS are usually for financial institutions but FISMA and SOX has to influence a government agency, right.  That would have to put some pressure on management to do their due diligence and due care.  I would research some laws that show that not only can it be a hit to reputation and profits but it could possibly lead to charges being brought if any. 
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Thu Nov 04, 2010 3:06 pm

Re: Convincing upper management

So, their response isn't business related it's emotional.  So, in my opinion, you need to make an emotional case as well as a business case.  

For instance, knowing that during an outage, it cost you X, but it may have also meant that a manager had to explain him/herself to someone.  Nobody wants to be at the helm when the ship hits the iceburg, so you may be able to play that card at the same time.  

Figure out how your company makes money, create some scenarios, demonstrate the pre-cursors for those scenarios to take place, and then talk about what could be lost and how much can be gained from some initially simple steps.

If they got every single box, figure out how to make that harder, my guess is you can probably improve things with some things starting simple and then leverage those changes into having a "security specalist" and then work the specialist into a team over time.  
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Nov 05, 2010 7:06 am

Re: Convincing upper management

These are very good comments, thanks!

So to summarize:

- Do a risk and impact analysis, putting a dollar sign next to each scenario;
- Look at laws and rules that affect our business;
- Find a way to make upper management responsible for the security of the organization;
- And I would add, come prepared with plans and solutions. It is better to propose options A, B and C and let them pick one than looking unprepared with vague suggestions
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Nov 05, 2010 7:15 am

Re: Convincing upper management

Yes
Yes
Yes
and
Yes

<smiling>  Looks like you've got a good, running start, H1tM0nk3y.  Good luck with the effort!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Nov 05, 2010 7:28 am

Re: Convincing upper management

I realy understand your feelings.
I my company we have a team, we have some tools (and we will buy more) but our direct manager (which is not technical at all, and he is comming from mainframe via cobit implementation) is stopping us (mostly me) to do our jobs.
I understand the reason why the guys from the operations don't want me to do Nessus scans using credentials, but the fact that my boss agrees to any stupid reason drives me crazy  :-\. I even thought to move.

Anyway, I will be more patient and I will try to sell my ideas to the upper mgmt.
In another hand, a friend of mine works for a big company and he told me that they have no problems having operations implementing their demands. It seems that he's company had been hacked in the past and now security became extremely important.

@H1t M0nk3y  Be happy that you are not the only security guy in the company. If you'll get hacked you'll be blamed. Just stay cool and prepare yourself for better times (like next week-end when we'll have a beer in Ottawa  8) )
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Nov 05, 2010 8:10 am

Re: Convincing upper management

Money makes the world go around and your management knows this however, most companies don't like spending a dime on security where they don't need to. A method I've found for making them sway from this position is to not only justify the the business case FOR protecting themselves, but also the business case for protecting customers, vendor relationships AND for MAKING money off of security.

When I first started in my company, security wasn't an iota of a thought. Sure they had a firewall here, VPN there, antivirus here, etc., etc., we had individuals that didn't understand the technology, proper deployment, etc.

After reviewing our current infrastructure, I began laying out the roadmap of what I wanted to accomplish. 1) Securing our network 2) Developing an internal security team 3) Raise security awareness 4) Develop a mechanism to earn off of a secure infrastructure and services.


1) Was simple since I was tasked with being the lead security tester for a SIGv5 audit + PCI Assessment. Since I understood security in practice more than anyone else, my company flipped out at the thought of losing clients for audit failures and losing the right to process credit cards, etc.

2) A little tricky since I had to make management understand the benefits of training me and my colleagues. Management's fears will be "they will jump ship once certified..." I discussed with them the benefits of being able to go to clients with "credentialed" staff as opposed to "who are you again."

3) We do mailings every here and there where I will take news excerpts to raise awareness. Since we're a small company, I can interact and explain things to most employees. I use a lot of analogies to help them understand. This allows my colleagues to take the information with them and use it at home too. Something they appreciate more when presented to them like that.

4) After going through these motions for 3-4 years here, I developed, documented, explained, configured and deployed services to not only us here, but to certain clients. This enabled management to take a step back and focus on offering security as a service.

Anyhow, there is no "one size fits all" solution. Management does not like spending money. You should focus on fact that the costs of a compromise are a lot higher. Point out the FACT that even the biggest companies (Google, Raytheon, etc) are compromised and we KNOW they've spent on security. Make it a business case: the cost of NOT securing versus the one time cost of a compromise. Regulatory controls are your friend: If you need to maintain compliance, focus on the benefits of keeping compliance. Also focus on educating them about the potential revenue they CAN make by touting: "A Secure Company", "Defending our Clients", etc., most companies are aware of the security risks and most companies would prefer to do business with a company that is responsible as opposed to having "zero security."

In the event you do business with certain companies, it will be inevitable anyway. One of our clients is in the top 3 telecommunications sector worldwide. We were forced to do a SIG audit or risk losing business. After going through the motions with senior management, they then understood what the fuss was about. Being able to hand over a "statement of security accounting" shows the partner/client/etc., that you take business serious.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Nov 05, 2010 10:15 am

Re: Convincing upper management

H1t M0nk3y wrote:
- Do a risk and impact analysis, putting a dollar sign next to each scenario;



Beyond that. Not just the cost of containment and clean up, but the cost of lost productivity too, if you can do it. Otherwise just point out how many people will be getting paid to not work during that time.
OSWP, Sec+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Nov 05, 2010 10:30 am

Re: Convincing upper management

alucian wrote:In another hand, a friend of mine works for a big company and he told me that they have no problems having operations implementing their demands. It seems that he's company had been hacked in the past and now security became extremely important.


That doesn't always hold true. I've worked for 2 companies that have been hacked. Neither one really changed their stances.
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Nov 05, 2010 12:32 pm

Re: Convincing upper management

Thanks for the excellent feedback!

We do mailings every here and there where I will take news excerpts to raise awareness.


I also do what I call "Lunch and Hack" lunch session where for an hour, I talk about a given topic. My audiance is a group of web developers, but I also have other people coming in (around 15 every time). For example, the last topic was XSS.

Because of these sessions, I have been ask to prepare a similar presentation for upper management. I will have one chance, so hence this email...

But this is gret, thanks! I am moving forward!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software